GitLab Advanced SAST rules: PHP
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Rules used by GitLab Advanced SAST to detect vulnerabilities in PHP code.
| Rule ID | Rule description | CWE | OWASP Top 10 | Status |
|---|---|---|---|---|
php-doctrine-sqli-dbal-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 | N/A |
php-doctrine-sqli-orm-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 | N/A |
php-lang-accesscontrol-phpinfo-atomic | Exposure of sensitive system information to an unauthorized control sphere | CWE-497 | A5:2017, A01:2021 | N/A |
php-lang-cmdi-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 | N/A |
php-lang-codei-taint | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 | N/A |
php-lang-crypto-curl-ssl-verification-atomic | Improper certificate validation | CWE-295 | A3:2017, A02:2021 | N/A |
php-lang-crypto-ftp-use-atomic | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 | N/A |
php-lang-crypto-hash-atomic | Use of weak hash | CWE-328 | A3:2017, A02:2021 | N/A |
php-lang-crypto-insecure-randomness-atomic | Use of cryptographically weak pseudo-random number generator (PRNG) | CWE-338 | A3:2017, A02:2021 | N/A |
php-lang-crypto-mcrypt-cipher-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 | N/A |
php-lang-crypto-mcrypt-cipher-mode-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 | N/A |
php-lang-crypto-mhash-atomic | Use of weak hash | CWE-328 | A3:2017, A02:2021 | N/A |
php-lang-crypto-openssl-cipher-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 | N/A |
php-lang-crypto-openssl-hash-atomic | Use of weak hash | CWE-328 | A3:2017, A02:2021 | N/A |
php-lang-crypto-openssl-verify-peer-atomic | Improper certificate validation | CWE-295 | A3:2017, A02:2021 | N/A |
php-lang-crypto-weak-hash-atomic | Use of weak hash | CWE-328 | A3:2017, A02:2021 | N/A |
php-lang-deserialization-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 | N/A |
php-lang-ldapi-dn-taint | Improper neutralization of special elements used in an LDAP query (‘LDAP Injection’) | CWE-90 | A1:2017, A03:2021 | N/A |
php-lang-ldapi-filter-taint | Improper neutralization of special elements used in an LDAP query (‘LDAP Injection’) | CWE-90 | A1:2017, A03:2021 | N/A |
php-lang-misconfiguration-cookie-httponly-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-cookie-samesite-atomic | Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-cookie-secure-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-session-httponly-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-session-samesite-atomic | Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-session-secure-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-session-useonlycookies-atomic | Use of GET request method with sensitive query strings | CWE-598 | A6:2017, A05:2021 | N/A |
php-lang-openredirect-taint | URL redirection to untrusted site (‘Open Redirect’) | CWE-601 | A01:2021, A5:2017 | N/A |
php-lang-pathtraversal-information-disclosure-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-lang-pathtraversal-medium-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-lang-pathtraversal-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-lang-sqli-inbuilt-libs-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 | N/A |
php-lang-sqli-inbuilt-libs-two-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 | N/A |
php-lang-ssrf-buzz-taint | Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-curl-taint | Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-functions-taint | Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-guzzle-taint | Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-httpful-taint | Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-reactphp-taint | Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-xss-stored-one-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | N/A |
php-lang-xss-stored-two-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | N/A |
php-lang-xss-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | N/A |
php-lang-xxe-domdocument-taint | Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-lang-xxe-domdocument-xinclude-taint | Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-lang-xxe-simplexml-taint | Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-lang-xxe-xmldocument-taint | Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-lang-xxe-xmlreader-taint | Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-laravel-cmdi-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 | N/A |
php-laravel-misconfiguration-cookie-httponly-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-cookie-samesite-atomic | Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-cookie-secure-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-session-httponly-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-session-samesite-atomic | Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-session-secure-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-laravel-openredirect-taint | URL redirection to untrusted site (‘Open Redirect’) | CWE-601 | A01:2021, A5:2017 | N/A |
php-laravel-pathtraversal-file-facade-information-disclosure-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-file-facade-medium-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-file-facade-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-request-response-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-storage-facade-information-disclosure-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-storage-facade-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-view-facade-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-sqli-column-one-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 | N/A |
php-laravel-sqli-column-two-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 | N/A |
php-laravel-sqli-raw-queries-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 | N/A |
php-laravel-ssrf-taint | Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-laravel-ssti-taint | Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 | N/A |
php-laravel-xss-stored-one-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | Added 2026-02-17 |
php-laravel-xss-stored-two-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | Added 2026-02-17 |
php-laravel-xss-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | N/A |
php-smarty-ssti-taint | Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 | N/A |
php-symfony-cmdi-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 | N/A |
php-symfony-codei-taint | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 | N/A |
php-symfony-deserialization-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 | N/A |
php-symfony-deserialization-yaml-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 | N/A |
php-symfony-misconfiguration-cookie-httponly-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-cookie-samesite-atomic | Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-cookie-secure-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-session-httponly-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-session-samesite-atomic | Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-session-secure-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-symfony-openredirect-taint | URL redirection to untrusted site (‘Open Redirect’) | CWE-601 | A01:2021, A5:2017 | N/A |
php-symfony-pathtraversal-filesystem-information-disclosure-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-pathtraversal-filesystem-medium-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-pathtraversal-filesystem-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-pathtraversal-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-pathtraversal-uploadedfile-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-ssrf-taint | Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-symfony-ssti-taint | Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 | N/A |
php-symfony-xss-stored-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | N/A |
php-symfony-xss-stored-two-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | N/A |
php-symfony-xss-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | N/A |
php-symfony-xss-twig-autoescape-atomic | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 | N/A |